Bits before bombs: How Stuxnet crippled Iran’s nuclear dreams

The future of warfare may have just begun, but rather than being heralded by an explosion, it began without a sound or a single casualty.

It is the first of its kind, and could be a signal of the ways all wars are fought from now on. It is a cyber weapon so precise that it can destroy a target more effectively than a conventional explosive, and then simply delete itself, leaving the victims left to blame themselves. It is a weapon that is so terrible that it could conceivably do more than just damage physical objects, it could kill ideas. It is the Stuxnet worm, dubbed by many as the world first real weapon of cyberwarfare, and its first target was Iran.

The dawn of cyberwarfare

Stuxnet is almost like something out of a Tom Clancy novel. Rather than sending in missiles to destroy a nuclear plant that threatens the entire region and the world, and is overseen by a president who has claimed that he would like to see an entire race of people “wiped off the map,” a simple computer virus can be introduced that will do the job far more effectively. To attack a structure with missiles can lead to war, and besides, buildings can be rebuilt. But to infect a system so completely that the people using it begin to doubt their faith in their own abilities will have far more devastating long-term effects.

In a rare moment of openness from Iran, the nation has confirmed that the Stuxnet malware (the name stems from keywords buried in the code) that was originally discovered in July, has damaged the country’s nuclear ambitions. Although Iran is downplaying the incident, some reports suggest that the worm was so effective, it may have set back the Iranian nuclear program by several years.

Rather than simply infect a system and destroy everything it touches, Stuxnet is far more sophisticated than that, and far more effective as well.

The worm is smart and adaptable. When it enters a new system, it remains dormant and learns the security system of the computer. Once it can operate without raising alarm, it then seeks out very specific targets and begins to attack certain systems. Rather than simply destroy its targets, it does something far more effective—it misleads them.

In a nuclear enrichment program, a centrifuge is a fundamental tool needed to refine the uranium. Each centrifuge built follows the same basic mechanics, but the German manufacturer Siemens offers what many consider to be the best in the industry. Stuxnet sought out the Siemens controllers and took command of the way the centrifuge spins. But rather than simply forcing the machines to spin until they destroyed themselves—which the worm was more than capable of doing—Stuxnet made subtle, and far more devious changes to the machines.

When a uranium sample was inserted into a Stuxnet-infected centrifuge for refinement, the virus would command the machine to spin faster than it was designed for, then suddenly stop. The results were thousands of machines that wore out years ahead of schedule, and more importantly, ruined samples. But the real trick of the virus was that while it was sabotaging the machinery, it would falsify the readings and make it appear as if everything was operating within the expected parameters.

After months of this, the centrifuges began to wear down and break, but as the readings still appeared to be within the norms, the scientists associated with the project began to second guess themselves. Iranian security agents began to investigate the failures, and the staff at the nuclear facilities lived under a cloud of fear and suspicion. This went on for over a year. If the virus had managed to completely avoid detection, it eventually would have deleted itself entirely and left the Iranians wondering what they were doing wrong.

For 17 months, the virus managed to quietly work its way into the Iranian systems, slowly destroying vital samples and damaging necessary equipment. Perhaps more than the damage to the machinery and the samples was the chaos the program was thrown into.

The Iranians grudgingly admit some of the damage

Iranian President Mahmoud Ahmadinejad has claimed that Stuxnet “managed to create problems for a limited number of our centrifuges,” which is a change from Iran’s earlier assertion that the worm had infected 30,000 computers, but had not affected the nuclear facilities. Some reports suggest at the Natanz facility, which houses the Iranian enrichment programs, 5,084 out of 8,856 centrifuges in use at the Iranian nuclear facilities were taken offline, possibly due to damage, and the plant has been forced to shut down at least twice due to the effects of the virus.

Stuxnet also targeted the Russian-made steam turbine that powers the Bushehr facility, but it appears that the virus was discovered before any real damage could be done. If the virus had not been uncovered, it would eventually have run the RPMs of the turbines too high and caused irreparable damage to the entire power plant. Temperature and cooling systems have also been identified as targets, but the results of the worm on these systems isn’t clear.

The discovery of the worm

In June of this year, the Belarus-based antivirus specialists, VirusBlokAda found a previously unknown malware program on the computer of an Iranian customer. After researching it, the antivirus company discovered that it was specifically designed to target Siemens SCADA (supervisory control and data acquisition) management systems, which are devices used in large-scale manufacturing. The first clue that something was different about this worm was that once the alert had been raised, every company that tried to pass on the alert was subsequently attacked and forced to shut down for at least 24 hours. The methods and reasons for the attacks are still a mystery.

Once the virus had been discovered, companies like Symantec and Kaspersky, two of the largest antivirus companies in the world, as well as several intelligence agencies, began to research Stuxnet, and found results that quickly made it obvious that this was no ordinary malware.

By the end of September, Symantec had discovered that nearly 60-percent of all the machines infected in the world were located in Iran. Once that had been discovered, it became more and more apparent that the virus was not designed simply to cause problems, as many pieces of malware are, but it had a very specific purpose and a target. The level of sophistication was also well above anything seen before, prompting Ralph Langner, the computer security expert who first discovered the virus, to declare that it was “like the arrival of an F-35 into a World War I battlefield”.